Post navigation

Hardening a debian wheezy linux apache server

So, I’ve been making a couple of servers publicly accessible so as to allow some services outside the firewall. The main things I’m aiming to have available are git and mediawiki, which in turn means making SSH and Apache services available.

I have a virtual server that is my main gateway, and I have a smoothwall that sits at the perimeter. I’ve been through a bunch of different sites and looked at lots of documentation, this post just points to a few of them in case someone else is following the same path.

Firstly, I’m on debian, so the authoritative manual is the debian security manual. This is reasonably old and looks clunky, but the advice in it remains good. From this I got the following things:

harden – a debian package that conflicts with known risky packages (so makes it hard to accidentally install something that compromises security), and installs a bunch of tools

tiger – an auditing service that tells you what’s running on your machine and what vulnerabilities you have – tiger -E to run it

tripwire – a tool that creates a checksum of key configuration files, and checks daily whether any of them have changed. It’s better if you have some write-protected media to prevent someone just changing the tripwire signatures, but even without that it will probably give you an alert for most script kiddie type attacks

checksecurity – runs some sort of security check daily. Waiting to see what that does as yet

chkrootkit – looks for root kits

debsums – I think this checks that your packages in dpkg haven’t been corrupted or compromised. Not sure how it works as yet

IPTables. I have a firewall on the front end (smoothwall), so I don’t need inbound iptables so much. And as yosti has said, I’m only running a handful of services, so any other ports aren’t open anyway. But I like the idea of limiting outbound internet access to only those users that I specifically enable it for. In short, it would stop any compromised users from downloading stuff (such as a rootkit) and therefore make it hard to take over a machine other than using the software already on the machine – which is hard work. So this is still on my list to do